pwn5_www2

pwn_spbctf

Task: NON-PIE x86-64 binary with stack canary, a custom .init_array constructor that prints /proc/self/maps (free libc leak) before main, and an 8-byte write-what-where (raw value + decimal strtol address). Solution: parse libc base from the startup maps dump, overwrite puts@GOT with system via the WWW primitive, then feed '/bin/sh' to the buffer so the later puts(rbp) becomes system('/bin/sh').

elf x86-64 ret2libc pwn no-pie canary got-overwrite partial-relro write-what-where remote libc-2.31 proc-self-maps www constructor-leak init-array puts-to-system strtol-decimal

got_overwritewrite_what_whereconstructor_libc_leakproc_self_maps_parseputs_to_system

$ ls tags/ techniques/

elf x86-64 ret2libc pwn no-pie canary got-overwrite partial-relro write-what-where remote libc-2.31 proc-self-maps www constructor-leak init-array puts-to-system strtol-decimal

got_overwritewrite_what_whereconstructor_libc_leakproc_self_maps_parseputs_to_system

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]pwn5_rw— pwn_spbctf
[pwn][Pro]pwn5_rhook— pwn_spbctf
[pwn][Pro]pwn4 call_fcn_rop— pwn_spbctf
[pwn][Pro]pwn5_www1— pwn_spbctf
[pwn][Pro]pwn6www / storage— pwn_spbctf